The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

My grasp of sessions is not great, but I have been using them without incident for about six months now on my company's intranet. Over the last month I wrote an application to log my departments time using mysql, php. It takes advantage of the session tracking already in place, and has passed our internal QA cycle with flying colors. Here is my problem:

I use a session file to track the session. An employee has to be logged in to see the link for the application. They also have to be logged in to view th page, if not, they are prompted to log in. If they logged in, and the session expires, then try to click on a link, they are prompted to log in before they can continue. All of this has been working fine. So up goes the time logging app yesterday and people start using it.

Someone manages to enter time into the app, without their name! Which seems impossible because you have to be logged in to use the app, and if you are logged in, the app knows who you are and uses that value to give the time logged an owner.

Ok, so after I recover from my heart attack, I go about debugging this and I manage to reproduce the occurance by logging in, going to the page where a users logs and submits a chunk of time. Before submitting the form though, I go to the server and delete the session file. Then back to the form, submit it, and it appears to do what it should by refreshing the page and prompting me to log in. I check the database, and there is the row without the user name.

I have determined that this must be a freak occrance of someone submitting the form at the same time that php had determined that the session files were garbage and deleting them.

I'm not sure that I am asking for anything more than insight or comments here because I don't think that it will happen again (I hope).

Has anybody had similar problems, bugs. How should I fine tune the deleting of garbage session files? Ideally, I would have the ability to delete all session files at a certain time of day, like when no one was using the intranet.

Someone manages to enter time into the app, without their name! Which seems impossible because you have to be logged in to use the app, and if you are logged in, the app knows who you are and uses that value to give the time logged an owner.

At the top of every page that you want to protect, check for validation of user such as testing for valid userid and password.

That works fine to make sure that they are a valid user when they arrive at that page, but the problem is at the time of submit. For instance: They have logged in, they navigate to that page. Each page checks the session file for the logged_in value, which is set to 1 or 0. If it's 0, they are prompted to log in, if not they can view the page. So, they get to that page, the session value for logged_in is 1 so it let's them view the page, but before they can submit the form, the session file gets deleted. The insert into the database succeeds even though they are prompted to logg in again.

I did manage to write a simple if statement that checks to see if the name variable is null, if it is, no insert is performed and they are prompted to log in. This seems to take care of the problem. But I am still curious about the fine tuning of [session] section in the php.ini file to avoid things of this nature.

Why don't you move the script that makes sure that they are logged in to the bottom of everypage. This way, when they have completed everything on the page, they are then checked before they can move on, this way, even if they have been idle for too long, they will still be able to finish what they are doing before they are checked to see if they are logged in...just an idea.

I don't know if that will work, because then they will be able to do what they want on the first page of the series that they are working on, so maybe it wouldn't work...just food for thought anyways.